Entrust Instant Financial Issuance (formerly known as Cardwizard) 6.10.0, 6.9.0, 6.9.1, 6.9.2, and 6.8.x and earlier uses a DLL library (i.e. DCG.Security.dll) with a custom AES encryption process that relies on static hard-coded key values. These keys are not uniquely generated per installation of the software. Combined with the encrypted password that can be obtained from WebAPI.cfg.xml in CVE-2024-39341, the decryption is trivial and can lead to privilege escalation on the Windows host.
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.